includes my home as a starting point;
my request is too easily disaggregated
from the bundle.

Bear in mind that system designers need not completely eliminate the
transfer of location information; it
would be sufficient to reduce the precision of the location information to
where the preference mapping gives
the attacker or marketer little with
which to work.p Given the decreasing cost of memory and bandwidth,
it is both efficacious and inexpensive
to simply blur the location estimate
provided with the request for mapping functionality.q An LBS user may,
for example, submit a request to the
Doppio Detector that includes his or
her location as “somewhere in downtown Ithaca,” rather than a specific
address. The server will respond with
a map that indicates the locations of
all the espresso shops in downtown
Ithaca. The user’s handset can then
use its more precise knowledge of his
or her location to determine the nearest espresso shop and generate directions accordingly.

Anonymity can also be preserved
by limiting the length m of each location trace. This limitation is accomplished by preventing the LBS from
determining which requests, if any,
come from a given user.r As described
in Wicker, 27 public-key infrastructure
and encrypted authorization messages can be used to authenticate
users of a service without providing
their actual identities. Random tags
can be used to route responses back
to anonymous users. Anonymity for
frequent users of an LBS may thus be
protected by associating each request
with a different random tag. All users
of the LBS thus enjoy a form of k
-anonymity. Coupled with coarse location
estimates or random location offsets,
this approach shows great promise
p Privacy-preserving data mining techniques
(such as those developed by Evfimievski et al. 11)
may also provide solutions.

for preserving user anonymity while
allowing users to enjoy the benefits of
location-based services.

Conclusion

The increasing precision of cellular-location estimates is at a critical
threshold; using access-point and
cell-site location information, service
providers are able to obtain location
estimates with address-level precision. Compilation of these estimates
creates a serious privacy problem, as
it can be highly revealing of user behavior, preferences, and beliefs. The
subsequent danger to user safety and
autonomy is substantial.

To determine the extent to which
location data can be anonymized, this
article has explored the Shannon-theoretic concept of unicity distance to reveal the dynamics of correlation attacks
through which existing data records are
used to attribute individual identities
to allegedly anonymous information.
With this model in mind, it has also laid
out rules of thumb for designing anonymous location-based services. Critical
to them is maintenance of a coarse level
of granularity for any location estimate
available to service providers and the
disassociation of repeated requests for
location-based services to prevent construction of long-term location traces.

Acknowledgments

This work is funded in part by the National Science Foundation TRUST Science and Technology Center and the
NSF Trustworthy Computing Program.
I gratefully acknowledge the technical and editorial assistance of Sarah
Wicker, Jeff Pool, Nathan Karst, Bhas-kar Krishnamachari, Kaveri Chaudhry,
and Surbhi Chaudhry.

References

1. agnew, j.a. Place and Politics: The Geographical
Mediation of State and Society. unwin hyman, london,
1987.

14. gruteser, m. and grunwald, D. anonymous usage of
location-based services through spatial and temporal
cloaking. In Proceedings of the First International
Conference on Mobile Systems, Applications, and
Services (san francisco, may 5–8). aCm press, new
york, 2003, 31–42.

15. hansell, s. aol removes search data on vast group of
Web users. The New York Times (aug. 8, 2006).

18. kifer, D. and machanavajjhala, a. no free lunch in
data privacy. In Proceedings of the SIGMOD 2011
International Conference on Management of Data
(athens, june 12–16). aCm press, new york, 2011,
193–204.

Stephen B. Wicker ( wicker@ece.cornell.edu) is a
professor in the school of electrical and Computer
engineering of Cornell university, Ithaca, ny, and member
of the graduate fields of information science and computer
science.